Category: Claims handling · Reviewed by Matt Bartlett, Director · Founder · Last reviewed 2026-06-11
A confidentiality undertaking is a written promise — typically by an outside adviser, witness, expert or third party — to keep claim-related information confidential and to use it only for defined purposes.
Insurance claims handling produces a stream of sensitive information: policyholder data, third-party personal data, regulatory correspondence, draft pleadings, expert reports, witness statements, settlement positions and coverage analyses. Almost every piece of that information is privileged, confidential or both. The discipline of the claim file requires that everyone with access to it is bound to use the information only for claim purposes and not to disclose it externally.
Confidentiality undertakings formalise that discipline. They are given by anyone who is not already bound by a comparable professional duty — typically experts, consultants, mediation participants, public-relations advisers, third-party adjusters, technical investigators and, in some structures, the policyholder’s senior management who are not directly party to the litigation but need to be briefed.
The duty of confidence has multiple sources. At common law, the equitable duty of confidence arises where information of a confidential character is communicated in circumstances importing an obligation of confidence (Coco v AN Clark (Engineers) Ltd [1969] RPC 41; Attorney General v Guardian Newspapers Ltd (No 2) (Spycatcher) [1990] 1 AC 109).
At statute, UK GDPR and the Data Protection Act 2018 impose duties on the handling of personal data; the lawful basis for processing in claims contexts is typically performance of the contract of insurance (Article 6(1)(b)) and substantial public interest (Article 9(2)(g) for special category data).
In litigation, the implied undertaking in respect of documents disclosed under court rules (CPR 31.22) prevents the use of disclosed documents for collateral purposes. The implied undertaking endures even after the proceedings end, though it can be released by the court for good reason.
For solicitors, SRA Principle 7 (acting in best interests of clients) and the wider duty of confidence underpin information handling. For barristers, the BSB Handbook imposes parallel duties.
For experts under CPR Part 35, the expert’s duty to the court is paramount but the practical handling of confidential material disclosed to the expert is typically managed by a confidentiality undertaking signed at instruction.
A confidentiality undertaking is signed at the start of any engagement that involves access to sensitive claim information. The undertaking typically contains:
The discipline matters because breaches can have significant consequences. An expert whose draft report is leaked could be exposed to claims for breach of contract or breach of confidence. A third-party adviser whose internal email about a sensitive coverage position is forwarded externally could be in breach of the implied undertaking and face contempt proceedings.
For mediation, the participants — the parties, their lawyers, the mediator — sign a mediation agreement that typically contains comprehensive confidentiality provisions. This is the principal confidentiality undertaking in dispute resolution.
For internal briefings, the policyholder’s senior management may sign undertakings before being briefed on sensitive aspects of the claim. This is particularly common in D&O claims where the directors’ personal positions may diverge from the company’s.
Joint defence agreements between multiple defendants (or between an insured and its insurer in complex coverage situations) typically contain confidentiality provisions that operate as undertakings between the parties.
“One-way” undertakings flow from the recipient to the discloser only — the standard structure for engaging an expert or adviser.
“Two-way” undertakings are mutual confidentiality agreements where both parties may be exchanging confidential material.
“Limited-duration” undertakings expire after a stated period; rare in claim contexts because most claim information remains confidential indefinitely.
“Sectorial” undertakings restrict use to specific aspects of the engagement — for example, a coverage adviser bound only on coverage materials, not on underlying merits material.
“Class” undertakings cover groups of recipients — for example, a single undertaking from a consultancy firm covering all of its personnel who may work on the matter.
A solicitors’ PI insurer engages a forensic IT consultancy to investigate a claim arising from alleged data leakage. The engagement letter contains a confidentiality undertaking: the consultancy and its named personnel agree to keep all claim-related information confidential, to use it only for the investigation, to return or destroy documents on completion of the engagement, and to survive termination indefinitely. Three months into the investigation a junior consultant attends a public industry conference and presents on “lessons learned from recent data-leakage matters” using an anonymised version of the case. The consultant’s draft includes screenshots from the policyholder’s system that, while anonymised, contain identifiable data. The PI insurer learns through a contact in the audience, demands withdrawal of the presentation, and seeks compensation for the breach. The consultancy’s professional liability insurer accepts the breach and pays the insurer’s investigation costs and the policyholder’s heightened reputational mitigation costs. The consultant is removed from the engagement; the consultancy revises its internal training on confidentiality undertakings.
By Matt Bartlett, Director, on 2026-06-11. Next review: 2026-12-11.
This entry is part of the Apex Insurance Wiki. Last reviewed by Matt Bartlett on 2026-06-11. Apex Insurance Brokers Limited, FCA FRN 724952, Companies House 07014570. Not regulated advice — consult your broker on your specific position.
Apex Insurance Brokers serves UK professional services firms and commercial businesses. Call 0117 325 0027, email hello@apexinsurancebrokers.co.uk, or request a quotation.
Get a quote